April 2017

April 27, 2017

These are the stories that endlessly entertain me. The Internet of Things is providing all kinds of new sources of evidence. As The Hartford Courantreported, Connecticut resident Richard Dabate now faces charges of murder, tampering with evidence and making a false statement in connection with the 2015 shooting death of his wife.

Dabate claimed an intruder shot his wife before trying to subdue Dabate. But Dabate said he fought back, ultimately burning the intruder with a torch before alerting police when the man escaped.

Detectives found no signs of a struggle or forced entry, and police dogs didn't detect another person's scent. An e-mail Dabate said he sent from his car was actually sent from his home laptop, further causing investigators to question his story.

Ya think?

The data from the Fitbit worn by his wife showed that the murder took place about an hour after Dabate said it did. Dabate claimed his wife had just walked in from the garage when the intruder shot her; however, Fitbit records indicated she walked 1,200 feet around her home in the ensuing hour before the device stopped registering movement at 10:05 a.m.

The month after the murder, Richard withdrew $90,000 from an account in his wife's name, following a failed attempt to cash in her $475,000 life insurance policy just five days after she was killed. The salacious details (including a pregnant girlfriend) may be found in the story.

59 percent of the organizations had experienced instances of employees accessing pornographic websites during the work day and 43 percent had users who were engaged in online gambling activities over corporate networks.

While inappropriate Internet use was to blame for some of the breaches in security protocol, malicious threats were also responsible for some of the unauthorized activity. The report found that 60 percent of all attacks are carried out by insiders and 68 percent of all insider breaches were due to simple negligence, while 22 percent were from malicious activity by a staffer and 10 percent were related to credential theft.

During the first and last two weeks of a person's employment, 56 percent of organizations saw potential data theft take place from leaving or joining employees.

Dtex Systems Senior Vice President Rajan Koo said "the large majority of those looking to bypass security protocols are doing so for recreational purposes, such as to use a blocked social media site on company networks." And of course, they tell other employees, so bypassing company protocols becomes a matter of routine.

As we lecture all the time, your employees are your greatest security threat – they may not have any malicious intent, but their determination to do whatever they want can cause a lot of security mischief.

April 25, 2017

Data Breach Today ®reported on April 19th that a Russian hacker has put together a low-end ransomware kit, called Karmen, that costs only $175. So if you're not a boy genius (or girl genius) and can't program but want to get into the lucrative ransomware business, it is very affordable to do so. Threat intelligence vendor Recorded Future was the source of the information about Karmen.

You may recall that the FBI has called ransomware a billion dollar a year business. Who wouldn't want a piece of that action?

Though the FBI and other law enforcement agencies counsel ransomware victims not to pay, if they haven't properly engineered their backups to recover the data, many say they have no choice but to pay. Payments (usually in bitcoin) used to be in the $300-$500 range but we are seeing much larger demands these days. Some entities are even stockpiling bitcoins so they can pay the cybercriminals quickly. Some entities make a business decision that the cost of paying the ransom is cheaper than being out of business for some period of time while data is recovered.

Ransomware as a service has been around for a while, but Karmen sure is cheap.

Some other ransomware as a service kits can be used for free, but kit users have to pay a share of profits to the developers. There must be something which tells the developers when the software is used and what the ransom was set at and when/if it was paid. Trust among criminals is pretty rare . . . though the article suggests that trust is how these systems operate. Hmmm, maybe, but I wouldn't count out programming that rats out people who don't pay up.

Karmen was first noted in March as a new gateway for would-be members of the very profitable ransomware industry. It strikes me that $175 is long way from getting a share of the profits – and how long until someone figures out how to detect/defeat Karmen?

Karmen differs from its predecessor, the open source Hidden Tear, which was developed for research purposes (you can see how well that went) and then abandoned. There is a free decrypter for Hidden Tear at the No More Ransom! website. There does not appear to be a decrypter for Karmen.

The developer of Karmen, who calls himself DevBitox, added a dashboard to manage ransomware campaigns, among other features. For example, DevBitox claims on an underground forum that the malware can automatically delete itself after a victim pays the ransom. Karmen also comes in two versions, a light and full version, the latter of which can also detect debuggers, virtual machines and sandboxes.

DevBitox has allegedly sold 20 copies of Karmen and is offering only five more before capping sales. At $175 each, that's a lousy return. I'm perplexed by the developer's motivation frankly, though I understand that selling malware that remains undetectable to security products requires almost daily modifications, through a process called obfuscation or "cleaning." If DevBitox acquires too many customers, perhaps defeating Karmen would become more of a goal – and if defeated, it would hurt the developer's reputation in the underground. I don't pretend to understand the strategies of these cybercriminals, some of whom seem content to make minimal returns on their labors.

The article talks about the need to serve and provide maintenance on the copies sold – I can't believe there will be a lot of that going on, but again, this is not the world in which I live. How much work would the developer do to protect his reputation in his netherworld?

At the moment, we have no reliable information about how Karmen spreads or how many victims it has ensnared. DevBitox's advertisement claims Karmen is FUD, meaning fully undetectable, which is the term applied to malware that can get past any security software or other anti-malware defenses. This is pretty much the standard claim. Whether it is true is impossible (currently) to verify.

One thing I do know for sure is that the number of victims we've consulted with who have contracted ransomware is rising. A formerly niggling disease has turned into a very expensive epidemic.

April 24, 2017

As reported by Bank Info Security, Gov. Susana Martinez signed legislation on April 6th making New Mexico the 48th state to enact a data breach notification law. The law takes effect on June 16.

Alabama and South Dakota are now the only states without a data breach notification law.

The New Mexico statute "follows the same general structure of many of the breach notification laws in other states," privacy lawyer Jason Gavejian says. "Importantly, the definition of personal identifying information under New Mexico's Data Breach Notification Act includes biometric data."

Only a handful of states including Illinois, Iowa, Nebraska and Wisconsin define PII to include biometric data, according to the law firm Mayer Brown LLP.

An analysis of the new statute by Mayer Brown says New Mexico deviates in a few ways from what is typically required by most other states data breach notification laws. "For example," the analysis says, "a service provider that processes data on behalf of a data owner must notify the owner of a breach 'in the most expedient time possible,' but not later than 45 days following discovery of the breach. In contrast, most states require service providers to notify data owners 'immediately,' and Florida and Georgia require notification by service providers within 10 days and 24 hours, respectively."

New Mexico's law requires businesses operating in the state to take reasonable security procedures to safeguard personally identifiable information. Unlike Massachusetts' law, the New Mexico measure is not prescriptive, giving much latitude to businesses to decide how best to protect PII.

The measure also requires organizations to notify the state attorney general if more than 1,000 New Mexicans were victims of a breach.

Like notification laws in many other states, organizations would be exempt from complying with the New Mexico statute if they must comply with the Gramm-Leach-Bliley Act that governs financial institutions handling private information or the Health Insurance Portability and Accountability Act that regulates patient information.

Alabama and South Dakota, are you two competing to be the last state to protect your residents?

April 20, 2017

It was a great pleasure to welcome our friend Craig Ball as a guest on our Digital Detectives podcast. It suffices to say that Craig's rapier wit was in full display as was his genius for explaining complex processes and tools to lawyers. If preserving social media is part of what you do, or would like to do, this is a great way to learn from a master.

April 19, 2017

The New York Times published a thoughtful article about this topic, concluding that lawyers don't have to worry about being replaced by artificial intelligence – yet.

Frank Levy, a labor economist at MIT and Dana Remus, a professor at the University of North Carolina's law school are the authors of a paper entitled, Can Robots Be Lawyers? Computers, Lawyers, and the Practice of Law. They concluded that document review is largely automated and outsourced, now consuming only 4% of lawyers' time at large firms. That is quite a shift, but it is consistent with what I am hearing from former lawyers/contract reviewers who basically lost their employment, poor paying though it was.

Levy and Remus predict that the gradual pace of AI will reduce lawyers' work at a rate of 2.5% a year over the next five years. That's actually quite a lot in a short time. My own prediction is that all this will go faster than we think.

"Where the technology is going to be in three to five years is the really interesting question," said Ben Allgrove, a partner at Baker McKenzie, a firm with 4,600 lawyers. "And the honest answer is we don't know."

John Fernandez, the chief innovation officer at Dentons, points out that a fair piece of legal work is already being outsourced to Axiom, Thomson Reuters, Elevate and the Big Four accounting firms. Dentons, a global law firm with more than 7,000 lawyers, established an innovation and venture arm, Nextlaw Labs, in 2015. Besides monitoring the latest technology, the unit has invested in seven legal technology start-ups.

Fernandez says "Our industry is being disrupted, and we should do some of that ourselves, not just be a victim of it."

He's right of course, and that is precisely why large law firms are beginning to make sizeable investments in AI. Clients want its efficiencies and lower costs. But the price is certainly going to be human jobs – we can only speculate on how many and when it will happen but it seems a foregone conclusion to me.

April 18, 2017

Cloud Nine's Doug Austin has a great blog post on In Liguria Foods, Inc. v. Griffith Laboratories, Inc., (N.D. Iowa Mar. 13, 2017). Iowa District Judge Mark W. Bennett declined to sanction the parties for issuing boilerplate objections, but strongly warned them that the use of boilerplate objections in the future would place counsel and their clients at risk for significant sanctions.

The case involved millions of dollars' worth of sausage that turned rancid. It became apparent to Judge Bennett (during a review of another discovery dispute) that both parties had submitted "obstructionist discovery responses" to each other during the discovery process. On January 27, 2017, Judge Bennett entered an Order To Show Cause Why Counsel For Both Parties Should Not Be Sanctioned For Discovery Abuses And Directions For Further Briefing, directing the parties to file, under seal, all their written responses to each other's discovery requests by the following day. Judge Bennett also notified counsel of his intention to impose sanctions on every attorney who signed the discovery responses, if he determined that the responses were, indeed, improper or abusive.

The parties filed their written responses to discovery requests, as directed, the following day. Based on his review of the discovery responses, Judge Bennett identified numerous discovery responses, from both sides, that he identified as improper in this ruling. According to Judge Bennett, the improper objections included:

"not reasonably calculated to lead to the discovery of admissible evidence";

"subject to and without waiving its general and specific objections";

"to the extent they seek information that is protected from discovery under the attorney-client privilege, the attorney work-product doctrine or is otherwise privileged or protected from disclosure"; and

"overbroad and unduly burdensome."

If you've ever litigated you know how often the words above appear in responses to discovery requests and how angry those words can make judges.

In its brief in response to the Order To Show Cause, the plaintiff acknowledged that many of its objections were not stated with specificity, but asserted that it had not interposed any objection "for any improper purpose, such as to harass, cause unnecessary delay, or needlessly increase the cost of litigation" and that some of its objections did include explanations. The defendant, in its brief, stated that its written responses to the plaintiff's discovery requests were not intended for any improper purposes and that the parties had conducted the litigation in a cooperative and professional manner. The defendant also noted that a magistrate judge had reviewed various defendant responses and found no fault with them, contending that that both parties relied on standard "boilerplate" language to assure that they were not waiving their rights while they met and conferred about the scope of privileges, pertinent time periods, among other issues.

Both sets of counsel ultimately admitted that the reason they used "boilerplate" objections had a lot to do with the way they were trained, the kinds of responses that they had received from opposing parties, and the "culture" that routinely involved the use of such "standardized" responses.

You see what I'm talking about? It's everywhere and everyone (nearly) does it.

Judge Bennett evaluated each of the boilerplate objections, identifying violations of Rule 26(d), 26(b)(5)(A)(iii) and the "specificity" requirements of Rules 33(b)(4) and 34(b)(2). However, in part because the parties "did not try to raise frivolous defenses for their conduct when called on" the use of "boilerplate" sanctions, Judge Bennett declined to sanction the parties this time. Instead, he provided a new Supplemental Trial Management Order, advising the lawyers for the parties that "in conducting discovery, form or boilerplate objections shall not be used and, if used, may subject the party and/or its counsel to sanctions. Objections must be specific and state an adequate individualized basis."

Here is the full conclusion of the order with, as I noted earlier, all caps to drive home (presumably) how serious the judge is.

"NO MORE WARNINGS. IN THE FUTURE, USING "BOILERPLATE" OBJECTIONS TO DISCOVERY IN ANY CASE BEFORE ME PLACES COUNSEL AND THEIR CLIENTS AT RISK FOR SUBSTANTIAL SANCTIONS."

I've never met Judge Bennett, but after reading his words, I took an immediate shine to him.

April 17, 2017

The Electronic Frontier Foundation (EFF) reported that, as of February, approximately half of Internet traffic was protected by HTTPS, making us safer from the eavesdropping, content hijacking, cookie stealing, and censorship that HTTPS can protect against.

Mozilla backed that up, stating that the average volume of encrypted web traffic on Firefox now surpasses the average unencrypted volume. Google Chrome's figures on HTTPS usage are consistent with that finding, showing that over 50% of all pages loaded are protected by HTTPS across different operating systems.

This milestone is a combination of HTTPS implementation victories involving tech giants, large content providers, small websites and users themselves.

Starting in 2010, privacy advocates pushed tech companies to follow crypto best practices, applauding when Facebook and Twitter implemented HTTPS by default, and when Wikipedia and several other popular sites later followed suit. Google put pressure on the tech community by using HTTPS as a signal in search ranking algorithms and, starting this year, showing security warnings in Chrome when users load HTTP sites that request passwords or credit card numbers.

EFF's Encrypt the Web Report also played a big role in tracking and encouraging specific practices. Recently other organizations have followed suit with more sophisticated tracking projects. For example, Secure the News and Pulse track HTTPS progress among news media sites and U.S. government sites, respectively.

HTTPS implementation needs to be accessible to independent, smaller websites. Let's Encrypt and Certbot are game changers, turning the process into an easy and affordable task for webmasters across a range of resource and skill levels.

Let's Encrypt is a Certificate Authority (CA) run by the Internet Security Research Group (ISRG) and founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors. As a CA, Let's Encrypt issues and maintains digital certificates that help web users and their browsers know they're actually talking to the site they intended to. CAs are crucial to secure, HTTPS-encrypted communication, as these certificates verify the association between an HTTPS site and a cryptographic public key. Through EFF's Certbot tool, webmasters can get a free certificate from Let's Encrypt and automatically configure their server to use it.

Since the EFF announced that Let's Encrypt was the web's largest certificate authority last October, it has exploded from 12 million certs to over 28 million. Most of Let's Encrypt's growth has come from giving previously unencrypted sites their first-ever certificates.

A large share of these leaps in HTTPS adoption are also thanks to major hosting companies and platforms--like WordPress.com, Squarespace, and dozens of others--integrating Let's Encrypt and providing HTTPS to their users and customers.

Unfortunately, you can only use HTTPS on websites that support it--and about half of all web traffic is still with sites that don't. However, when sites partially support HTTPS, users can step in with the HTTPS Everywhere browser extension.

A collaboration between EFF and the Tor Project, HTTPS Everywhere makes your browser use HTTPS wherever possible. Some websites offer inconsistent support for HTTPS, use unencrypted HTTP as a default, or link from secure HTTPS pages to unencrypted HTTP pages. HTTPS Everywhere fixes these problems by rewriting requests to these sites to HTTPS, automatically activating encryption and HTTPS protection that might otherwise slip through the cracks.

April 13, 2017

In 2016, it took an average of nine months to detect and contain each data breach according to SC Media. Worse yet, the total number of identities exposed via data breaches increased 23% to 429 million.

What can you do to decrease that time and reduce your risk of exposure? SC Media Industry Buzz offers a link to a whitepaper called Practical Guide to Efficient Security Response, which includes seven security operations capabilities you need, a handy checklist to evaluate your security operations capabilities, and best practices for efficient security response.

April 12, 2017

A Naked Securitystory reports that Checkpoint analyzed Android devices owned by two large companies, and found malware infections in 36 of them. The users hadn't downloaded the malware - they arrived with the devices, meaning that they were installed somewhere along the supply chain.

The malware in the phones ranged from adware that displayed illegitimate commercials to information stealers. There was even a mobile ransomware instance lurking on some of the phones. In this case, attackers installed malware on device ROMs using system privileges, meaning that the user couldn't get rid of it.

So you might not want to look at that box with utter glee that your new phone is here. It may have come with "a little something extra."

A device goes through multiple stages at the factory before shipping to logistics companies that may hand it off to yet more logistics firms multiple times. Eventually, it will hit the local sales channel, where there are also many opportunities for bad guys to get their hands on it.

There have been cases of supply chain compromise in other devices, too, with malware turning up in something as innocuous as a digital picture frame. In an Internet of Things world, looking innocuous isn't worth a tinker's dam.

Perhaps the most insidious supply chain compromise yet is the one carried out by the US government. Glenn Greenwald's book No Place To Hide revealed how the NSA systematically intercepts the delivery of computer network devices and redirects them to a secret Tailored Access Operations location. Its operatives install "beacon implants" before repackaging them and sending them on their way. This then gives the organization direct access to "hard target" networks around the world.

The outrage felt by Cisco about the NSA's campaign impelled it to begin shipping boxes to vacant addresses for its more sensitive customers, making it more difficult for government agents to identify shipments destined for interesting targets.

There are best practices to help minimize the risk of compromise. Only buy from top-name vendors. Check to see what encryption standard the vendor is using and see if there's a known weakness. Use multiple encryption technologies rather than relying on the manufacturer's chosen one. Segment assets that hold data from each other, so that if one device or network segment is compromised, companies can't move laterally through the organization.

Another more controversial measure might be to look at the product's own technology ecosystem and conduct a risk analysis. Android phones are the ones getting compromised at the factory because it's an open source operating system and manufacturers have a great deal of latitude in terms of how they configure it.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.